Social Engineering: What is a whaling attack?
Estimated reading time: 8 minutes
A whaling attack is a form of phishing attack aimed at high-profile executives. By impersonating a highly-ranked professional, cybercriminals try to trick their victims into doing unfavourable actions. They usually try to get large wire transfers, sensitive information or insert malware with fraudulent links. The two latters mean that this social engineering technique can have longer-term consequences, because the cybercriminals can launch further attacks with the data retrieved from a whaling attack.
What is the difference between a phishing attack and a whaling attack?
They both use fake communications to trick their victims into taking favourable action for the cybercriminal. However, while phishing scams get sent massively, an attack of whaling targets specific individuals considered as ‘whales’ due to their high rank at a valuable organization.
Table of contents
- What is the difference between a phishing attack and a whaling attack?
- How to identify whaling attacks
- How to protect yourself from a whaling attack
- What to do if you fell for a whaling attack
- How to prevent other types of social engineering
How to identify whaling attacks
It can be hard to identify a whaling attack. Cybercriminals put a lot of efforts to elaborate these scams as the returns can be huge. In the past, they have tricked many highly-educated employees and caused substantial losses for their companies. To avoid this, organisations with sensitive information or a high monetary value should keep their employees informed about social engineering tactics.
How to recognize a whaling attack email
Whaling emails can display the following caracteristics :
- Personalisation: the email sent to initiate the whaling attack will most likely include personalised information about the impersonated individual, the victim, or the organisation to create a sense of familiarity.
- Urgency: conveying urgency can get the victim to act before thinking of security practices. Attackers might also try to frighten victims using powerful personas that are difficult to disobey or with a threat to their reputation.
- Language: business language and tone are often used to convince the victim that the email has been sent from a high-ranked person. The attackers often use a scenario in which they ask the victim to do a low-effort action (such as a quick money transfer to a supply partner) based on a fake threat. They may also emphasize confidentiality, so that the victim avoids to speak about the email they have received. They can’t thus be told by another person that this email is aimed at a whaling attack.
- Legitimate signature: the attackers may use a believable email address, signature, and a link leading to a fraudulent website. We will show you how to recognize these further down the article.
- Files & Links: cybercriminals may use attachments or links to insert malware or to request sensitive information. Even if nothing happens when you click a link or submit information on its website, it could trigger a hidden malware download.
Examples of whaling attacks
- From ‘within’ the company
In 2016, a top finance executive of Mattel got a fraudulent email from someone impersonating the new CEO. This email contained a regular request for a transfer in favour of a new vendor payment to China. After the executed fell into the phishing scam, the company lost $3 million but managed to get all the money back after an arduous fight.
- From a third party
The following email scam tricked a handful of executives from different industries. The cybercriminal sent a fake email from the United States District Court with a subpoena to appear before a grand jury in a civil case. The emails included the executives’ name, company, and phone number, deceiving them that it was official. When they clicked on the link for the subpoena, they got malware.
- With phone calls
The National Cyber Security Centre (NCSC) of the United Kingdom confirms that some whaling attacks emails got backed with phone calls from the cybercriminal authors. A simple trick such as this can make their scam believable. Fortunately, there are ways to prevent falling for one.
How to protect yourself from a whaling attack
In addition to making them losing money or data, whaling attacks can affect the reputation of the victim and their organisation. Some companies have fired some of their employees because thay had fallen for social engineering tactics. For instance, FACC have given the sack to their CEO for this reason. Unfortunately, according to HP, these kinds of cybersecurity attacks increase year after year along with their targeted victims.
To avoid being part of the victims of whaling attacks statistics, we recommend following these tips:
1 – Be aware
Know that there are different types of whaling attacks and that they can be well disguised. When receiving a particular request, remember to:
- Double-check the sender’s email if it’s sent from a colleague. When the email comes from a third party, search for the authentic email address of this company and compare it with the one with which your email has been sent.
- Check if the domain on the link corresponds to the domain name of the company it’s meant to be sent from. If it differs, even slightly, it probably means it’s a fake email trying to impersonate an email from this company. If so, there is probably a fraudulent associated website you must avoid to connect to. Hover over the embedded link with your mouse. You should see the associated domain name appearing at the bottom-right corner of your browser, so you can compare it with the actual domain name of this company.
- Check the suspicious website’s domain age to see if it matches the trusted one. If the suspicious domain is younger, then you should not trust it.
- Question the validity of any request for money or sensitive information.
URL redirect checker: shows you the path where a link will take you to.
Website screenshot service: screenshots a site when providing a link, allowing you to view what it looks like before accessing it.
Domain age checkers: allow you to compare a questionable link and a link from the authentic site to see if their ages match.
2 – Know the power of social media
Anything posted online can work against you. A whaling attack email could be personalised with photos, names, dates, and many other details found on social media. Cyberattackers also commonly use published content published following conferences or company events, meaning that employees should pay extra attention to potential scams after participating in these, since scammers could likely refer to them.
A good practice is to set personal social media accounts to be private. However, it does not fully protect from content published by the company’s public channels (newsletters, social media, website, etc.). The next tip can help with this issue.
3 – Adopt company-wide data protection policies
A common understanding of what type of information can be shared publicly prevents cyber attackers from using it. By establishing cybersecurity best practices within your organisation, you can develop a sense of responsibility and accountability among your teams. Therefore, these policies can protecting your company against substantial losses.
Some data protection policies that companies take against whaling attacks are:
- Flag third party emails: makes it easier to identify email scams pretending to be sent from colleagues.
- Verify requests: when getting particular or urgent requests from a colleague’s email, it is a good idea to confirm who’s the actual sender with them. Talking in person, via a message, or a call can reassure you that it is not a scam.
- Multi-step verification: any request for a wire transfer or sensitive information should go through various checks with different people before being operated. For example, having two people signing each high-value money transfers is a simple step that goes a long way. It also lowers the fear factor of being the only accountable employee for such transactions, allowing more clarity needed when making important decisions.
4 – Anti-phishing tools and courses
Scammers will always be a step ahead of the restrictions they face. Using tools and cybersecurity courses can help you identify the patterns of their tricks and prevent whaling attacks as much as possible. For example, a good practice could be for the IT department to send out fake whaling attacks emails to the company teams. By testing their reactions and giving them advice in the feedback of this simulation, the company can train its employees to adopt a safer behavior.
As for tools, there is anti-phishing software that can recognize fraudulent links and malware downloads. Also, a secure and private email provider, such as Mailfence, can keep away spam, ads, trackers, hackers and solicitations. Such tools can give users peace of mind from many social engineering tricks.
What to do if you fell for a whaling attack
If you suffered from social engineering and/or your email got hacked, read our blog post on Steps to take when your email is hacked. It explains how to control the damage, report it and prevent future hacking attacks.
If you were using a work’s device or account, communicate with your supervisor and the IT department as soon as possible. They will then be able to alert other employees and ensure that everything is maintained secure. Also, the sooner you report the incident, the less time the attackers have to worsen the damage. Also, your organisation can set up a complete communication plan involving all affected parties earlier on.
How to prevent other types of social engineering
As mentioned before, the best way to prevent phishing and whaling attacks is to get informed. For this purpose, Mailfence created a free and easy-to-follow Email security and privacy awareness course.
The course helps users understand their threat profile to know which tips they need. Based on that, a series of articles by Mailfence share knowledge on different levels of security against cyber threats found in emails.
Stay up to date with our latest articles by following us on Twitter and Reddit. For more information on Mailfence’s encrypted email suite, please do not hesitate to contact us at firstname.lastname@example.org.
– Mailfence Team